Dealing with Failed Logins on Your WordPress

Many alarm themselves when they notice failed logins on their WordPress websites and blogs. On the other hand, security and tech savvy people do not bother much about failed login attempts; stating that it is the norm.

Does your WordPress website receive a lot of failed login attempts? Are they something you should be worried about and should you do anything about it? In this article I am going to explain why your WordPress get such attacks and what you should do about them.

There Are Many Failed Login Attempts on Your WordPress

Those who install a WordPress audit trail plugin on their WordPress are typically surprised by the number of failed login attempts their WordPress websites get. Below is a post from the WP Security Audit Log plugin support forum that sums up what many WordPress administrators might think:

Does this plugin really work?

The audit log shows my blog gets so many failed log attempts from various countries like Ukraine, Russia, Vietnam, China etc.. almost everyday. I am not sure why so many people want to hack my small site. It doesn’t even have many contents. I don’t even make any profit from my site as I don’t have any ad or anything. so why my site gets so many failed log attempts? today some random person from Ukrain tried 10+ times to access to my and my partner’s account. I am not sure this plugin really works or it just generates some false alarms or something.

What the user reported were not false alarm. If you install a WordPress audit trail plugin on your WordPress websites you will see the same type activity, irrelevant of the website’s popularity and profitability.

Why Do Hackers Want to Login to Your WordPress?

The majority of attack attempts on your WordPress are not targeted specifically at your website, as explained in Targetted VS non-targetted WordPress attacks. The failed logins on your WordPress are being generated by automated bots (robots) malicious hackers use to crawl the internet aiming to find WordPress websites with weak credentials.

Your WordPress website is the recipient of such attacks because it is online. They are in no way related to how popular your website is and in fact such activity is seen on any other type of website. Even non WordPress websites receive such type of requests because most bots just send requests to any responding domain.

There are several other WordPress security improvements that you can implement to protect your login page, such as redirecting the login page and adding CAPTCHA to the login page. Though if you use either HTTP authentication or two-factor authentication it should be enough.

Should I Block the Offending IP Addresses?

One commonly suggested remediation for thwarting failed login attacks on your WordPress is to block the offending IP address(es). Unless your website is a target of a brute force attack I would not recommend going down that route mainly because the options attackers have to bypass such blockage are infinite, and you’ll end up in a cat and mouse game.

Start with the Basics – Use Strong Credentials for Your WordPress

Like almost in everything else, by addressing the basics you ensure that your WordPress website does not fall a victim of such common attacks and you should not worry about them. Avoid using common usernames such as admin, root, or your first name and secure your WordPress administrator user. Use a combination of letters and numbers for your usernames and a combination of letters, numbers and special characters for your passwords.

Other WordPress Login Page Security Improvements

Bonus WordPress Login Page Security Tip

If you always access the WordPress dashboard (admin pages) from the same IP address / location restrict access to the WordPress login page to your IP address. For more information on how to restrict access to a specific IP address or how to enable HTTP authentication refer to out definitive guide of htaccess and WordPress.